Most people who run a building assume the Legionella rulebook starts with ACoP L8. It doesn’t. L8 is a code of practice that sits on top of something older and far blunter: the Health and Safety at Work etc. Act 1974. The Act is where the legal force comes from. Everything beneath it — the regulations, the code, the technical guidance — exists to spell out how you meet a duty the Act has already placed on you.
That distinction is not academic. The layer a particular obligation lives in decides how hard it bites, who can be prosecuted, and what your defence looks like if a case is ever linked back to your water system. A responsible person who can place each control in the right layer argues from a much stronger position than one who only knows “we follow L8”.
Here is how the layers stack up, and why it matters which one you are standing on.
Why the Act reaches past your own staff
The Health and Safety at Work Act sets out general duties rather than naming specific hazards. Section 2 requires an employer to protect the health and safety of its own employees, so far as is reasonably practicable. Section 3 goes wider: it requires you to protect people who are not your employees but who could be affected by the way you run your undertaking [1]. For Legionella, that second duty is the one that catches people out. The person who breathes in an aerosol from your cooling tower, your shower or your spray tap might be a tenant, a contractor, a patient, a hotel guest or someone simply walking past. They are still your responsibility.
Two phrases in that sentence carry weight. “Reasonably practicable” means you weigh the size of the risk against the time, cost and trouble of controlling it — and you cannot plead cost when the risk is real and the fix is cheap. “Affected by your undertaking” is why Legionella is treated as a workplace duty even in a building with no staff on site at all.
Because the Act is criminal law, the consequences sit with the regulator rather than a private claimant. HSE and local authorities enforce it through improvement and prohibition notices and, for serious breaches, prosecution [1]. The general groundwork for who holds these duties is covered in UK Legionella compliance 101: laws and responsibilities; what enforcement actually looks like is set out in Penalties for failing Legionella compliance in the UK.
From a general duty to Legionella-specific rules
The Act tells you what outcome to achieve. It does not tell you to hold a calorifier at a particular temperature or flush a low-use outlet on any particular day. That detail arrives through the layers below.
The Control of Substances Hazardous to Health Regulations — COSHH — treat Legionella as a biological agent hazardous to health and require you to assess and control exposure to it. Sitting alongside that is the broader duty to carry out a suitable and sufficient risk assessment. ACoP L8 then gives practical effect to those duties for Legionella specifically, setting out the management structure: a risk assessment, a written control scheme, a competent responsible person, implementation, monitoring, record keeping and review [2]. If you want what L8 asks for in working detail, ACoP L8: understanding the UK Legionella Code of Practice covers it.
L8’s status is worth understanding properly. An Approved Code of Practice is not itself the law, but it carries a particular legal weight. If you are prosecuted for a breach and you did not follow the relevant parts of the code, a court can take that as proof of the breach — unless you can show you met the duty in some other, equally effective way [2]. So departing from L8 is allowed, but the burden then falls on you to demonstrate your alternative was at least as good.
HSG274 sits one rung lower again. It is technical guidance — the detailed “how” for hot and cold water, cooling systems and other risk systems — and it carries no special legal status [3]. You are not obliged to follow it to the letter. But it represents recognised good practice, so a regime that quietly ignores it is harder to defend as reasonably practicable.
How the four layers compare
| Instrument | What it is | What it asks of you | Where it bites |
|---|---|---|---|
| Health and Safety at Work Act 1974 | Primary criminal law; the foundation duty | Protect employees and anyone else affected by your work, so far as reasonably practicable | Enforced by HSE and local authorities through notices and prosecution; the heaviest penalties sit here |
| COSHH Regulations 2002 | Regulations made under the Act; legally binding | Assess and control exposure to Legionella as a hazardous biological agent | Breach is a criminal offence in its own right |
| ACoP L8 | Approved Code of Practice; special legal status | Risk assessment, written scheme, competent responsible person, monitoring, records, review | A court treats non-compliance as evidence of breach unless you prove equally effective control |
| HSG274 | Technical guidance; no special legal status | Practical methods for hot and cold water, cooling systems and other risk systems | No direct penalty, but departing from it weakens a “reasonably practicable” defence |
Read the table top to bottom and a pattern appears. Legal force is strongest at the top and most prescriptive at the bottom. The Act tells you the outcome; HSG274 tells you the method; COSHH and L8 are the bridge between them. When you justify a decision, name the layer that actually governs it — that is the difference between an answer an inspector accepts and one they probe.
Putting each control in the right layer
The framework earns its keep when you stop treating compliance as one undifferentiated pile and start tracing each task to its source.
Take three everyday examples. The record showing your responsible person reviewed the monitoring data and signed off the open actions answers L8’s management requirements — keeping that evidence is part of how record-keeping obligations discharge the duty. The decision to cut out a redundant dead leg rather than flush it forever is a reasonably-practicable judgement under the Act: a permanent fix removes the risk, where weekly flushing only manages it. And the dwell time you hold at a calorifier, or how often you flush an intermittently used shower, is HSG274 territory — set through your own risk assessment rather than read off a national rule.
Trace each control like that and two useful things happen. You stop over-engineering low-risk tasks because “the guidance says so” when the guidance is advisory. And you stop under-resourcing the parts that are genuinely non-negotiable because they flow straight from criminal law.
Where the wording really matters
This is general guidance, not legal advice, and the wording of the Act and its regulations matters in ways a summary cannot capture. Whether a specific duty applies to your site, and what “reasonably practicable” means for your particular system and the people exposed to it, is something a competent person settles through a site-specific risk assessment — not something you can read off a four-row table. If a case is ever linked to your premises, it is that assessment and your records that get examined, not how well you can recite the legislation.
Map each control to its layer this week
Pull out your current Legionella risk assessment and written scheme, and against each control measure note which layer it answers to: the Act’s general duty, COSHH, ACoP L8, or HSG274. Anywhere you cannot name the layer, you have either a control with no legal anchor or a duty with no control attached. Both are worth a closer look, and both are far easier to sort out now than to explain to an inspector later.
FAQ
Is Legionella actually named in the Health and Safety at Work Act?
No. The Act sets out general duties and does not mention Legionella, or any specific hazard, by name. The Legionella-specific obligations come from regulations made under the Act — notably COSHH — and from ACoP L8, which interprets those duties for water systems [2].
Does the Act apply if the people at risk are not my employees?
Yes. Section 3 places a duty on employers and the self-employed to protect people who are not employees but could be affected by their work [1]. A tenant, visitor, contractor or member of the public exposed to an aerosol from your system is covered, which is why Legionella is a workplace duty even in buildings with no staff on site.
Do I legally have to follow HSG274 to the letter?
Not in itself — HSG274 is guidance, not law [3]. You can use a different method, but you would need to show it controls the risk at least as effectively. Because the guidance represents recognised good practice, a scheme that departs from it without a documented reason is harder to defend as reasonably practicable.
Sources
[1] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [2] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [3] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm